Cisco has found default SSH key vulnerabilities in three of its virtual appliances that could be exploited by hackers to gain complete access to systems and intercept traffic.
The vulnerability, which was found by Cisco during internal tests, affects all of the company’s Web Security Virtual Appliances (WSAv), Email Security Virtual Appliances (ESAv), and Content Security Management Virtual Appliances (SMav).
“A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user,” the company said in its security advisory.
“The vulnerability is due to the presence of a default authorised SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv.”
“An exploit could allow the attacker to access the system with the privileges of the root user.”
The advisory noted that the default key vulnerability exists in the remote support functionality of the affected products. Of the second vulnerability, the advisory said that the WSAv, ESAv, and SMAv software could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances.
Cisco said there is no workaround for the vulnerability, but it has released patches for all of the affected software versions. Its advisory said that the patch is not required for physical hardware appliances, or for virtual appliance downloads or upgrades after June 25, 2015.
The update, called “cisco-sa-20150625-ironport SSH Keys Vulnerability Fix”, can be found in a list of product upgrades. It must be installed manually from a command line interface, the company said.
